Posted
by
Soulskill
on Tuesday December 06, 2011 @03:14PM
from the somebody's-having-a-bad-day-at-the-office dept.

Velcroman1 writes "A security hole in Facebook allowed almost anyone to see pictures marked as private, an online forum revealed late Monday. Even pictures supposedly kept hidden from uninvited eyes by Facebook's privacy controls aren't safe, reported one user of a popular bodybuilding forum in a post entitled 'I teach you how to view private Facebook photos.' Facebook appears to have acted quickly to eliminate the end-run around privacy controls, after word of the exploit spread across the Internet. It wasn't long before one online miscreant uploaded private pictures of Facebook founder Mark Zuckerberg himself — evidence that the hack worked, he said."

Who says Slashdot doesn't change with the times? See how the (sometimes twice) daily "New remote execution flaw in Windows" articles have been replaced by "New egregious privacy violation found in Facebook" stories?

OH MY GOD! You mean someone might just see a photo of my dog? STOP THE PRESSES, MY PRIVACY HAS BEEN RAPED.

The Facebook "threat" to privacy is overblown. I've got a Facebook account. I hardly use it, and don't really have much there. The pictures of me that ARE there are just fishing trip pictures posted by other people. Why the hell should I care who can see them?

So you dont care that FB harvests PII (personally identifiable info) from your freinds and can add more info to your account than you wish to surrender to them yourself?

While some of the privacy issues are overblown, there are some disturbing trends. One other fun one is "shadow profiles".

Supposedly FB is compiling the info they harvest from your freinds' contact lists and "creating" profiles for people who arent on FB yet.

For example, your coworker "Bob" isnt on facebook. You are, as well as a dozen or so

If you upload something to Facebook, assume anyone can see it. Whether it's a genuine hack, somebody figuring out your password, or leaving a computer logged in while you go grab coffee, somebody will at some point have access to everything, so don't upload it in the first place. It's that simple.

That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.

... While i do know some has posted pictures of me, those pictures cant truely be linked to me.

That is, until the other user imports their contact lists with your email addresses and phone numbers into Facebook, and starts tagging pictures of you, and they correlate others's address books with you in them. Then Facebook has a good idea who you are and who your "friends" are without you ever logging in.

That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.

But I hate my boss; he's a total asshole! And my boyfriend loves getting steamy messages (hey, Brian, I'm not wearing panties today. Surprise for when you get home after work!;) ), and I archive all the bachelor parties that I perform at. I need to have a portfolio after all! How will the next bachelor party find out if they want me vs. that skank across town?

You can tell he's a coder because he substituted the placement instead of thinking about it as being "inside" a layer which must be closed regardless of the last character. Other people see the aesthetics of one vs two )'s and one for many *looks* better. As a coder we know we didn't properly close our parens.

Programmers through process.

Ok I'm inside a parens.
content.
more content.
smileyOk, I have to close this parens.

==Normal person's thought process.==

Ok I'm whispering, so I need to start with a (content.more content.Now I'm done. (looks at the sentence, and thinks a single closing paren looks better, does not add another one)

(hey, Brian, I'm not wearing panties today. Surprise for when you get home after work!;) )

This is the classic problem of how to properly close a parenthetical statement that ends with an emoticon.

Another semantic nugget I wanted to add, is when you use slash to separate two things ("cat/dog"). If an item consists of multiple words, you should cover it in curly brackets so that you know what words the option covers ("cat/{big dog}").

So technically the sentences "Today I'm going to fix the garage/kitchen door" and "Today I'm going to fix the garage/{kitchen door}" are two different things. In the first one you're either fixing the door of garage or kitchen. In the second one you're either fixing the w

Well, of course, if you "perform" professionally at bachelor parties, then perhaps your Facebook page is a marketing tool for your entertainment business. In that case, it should present an image suitable to your profession. If that means insulting your boss to help potential customers identify with you, then so be it.

One of them had the idea that she could shock me by giving me her business card that bore a professionally photographed wide-open beaver shot.

If you're anywhere near Santa Cruz, California, Seraphina Landgrebe does excellent erotic photography. I rang her up once in hopes that she could do a nice portrait for use as a Valentine's Day gift, but I did not yet have the kind of relationship with that young lady that would have made Seraphina's suggestion that I pose while clad in nothing but a leopard-print jo

I used to think this, but there are some pretty convincing arguments in The Net Delusion that have caused me to rethink that position. There are a lot of Facebook users, and dissident groups cannot avoid using Facebook to reach people, simply because of the large number of people on Facebook. If Facebook does not take privacy seriously, the risk to dissidents who try to contact their fellow citizens on Facebook will grow.

The point here is that yes, it is a problem when Facebook unexpectedly opens its users' data to the world against their wishes. There are legitimate reasons why someone might use Facebook but want to keep their account data private.

Newsflash: any dissidents attempting to use Facebook are being plain stupid. That's like sending an email containing your entire list of friends and family to every government in the world, but with way more detail about what you do and where you are.

You do realize that Facebook privacy terms only apply to other users who use Facebook for free, and follow the terms of service, right? Facebook hackers, bots, and government agencies (and likely some large corporations) have full access to Facebook data. So does Facebook. Not only is your "private" Facebook data fair game, so is the "hidden" Facebook data, such as your access log, answers to security questions, access patterns (when you did what), etc.

In general, this is true of anything you post on the Internet. I look at it this way: try to avoid posting things on Facebook, Twitter, Google+, Slashdot, Flickr, or any other site, that you might be embarrassed for a family member to see, or a future potential employer. If it's on the Internet, assume anyone can see it.

My immediate personal response to this Facebook flaw: ohmigosh! Then I remembered that my photos are pretty much my cats, work we've done on the house, flowers, speakers at events, and simil

I wonder what constitutes a "private photo" for Zuckerberg, my guess is he has no photos that would be even remotely interesting since he knows the ins and outs of FB, and why does spell check want to turn "zuckerberg" into "rubbernecker"?

I saw a link to the forum discussing this somewhere. From the description of the "hack", I was certain this is a hoax. You see, the idea is that the hack is to report the user with private pictures to facebook as having "nude/pornographic" images, and in the image flagging process it shows you private-only pics as well.So it really sounded like a hoax to me to have people go around reporting private profiles of hot girls (or even boys I guess), and I am surprised it is a real security flaw. Not that you can call something on facebook a security flaw, since that would require security in the first place, right?

I was wondering about that. Whether the summary was correct in that Facebook worked quickly to fix it because the exploit spread across the Internet, or if it was because someone posted Zuckerberg's private pictures.

The Canadian privacy expert David Flaherty expresses a similar idea when he argues: "There is no sentient human being in the Western world who has little or no regard for his or her personal privacy; those who would attempt such claims cannot withstand even a few minutes' questioning about intimate aspects of their lives without capitulating to the intrusiveness of certain subject matters."

Some guy over at Kuro5hin who I know only as modus [kuro5hin.org] got the idea that I am some manner of dangerous criminal psychopath because I was so inconsiderate of his easily-wounded feeling to point out that, after two decades of working as a coder, I was weary of the work and wanted to change careers by going back to school to learn how to compose symphonies.

If you look at his comment and diary history at his user info page I linked above, you'll find that the vast majority of them are focussed entirely on me, quite

A squirrel dying in front of your house may be more relevant to your interests right now than people dying in Africa. -Mark Zuckerberg

No Mark,The private pics of the girl I crush on, yes, those are more relevant to my interests than people dying in Africa. Thank you for giving me occasional glimpses of hope with your privacy blunders.Yours Sincerely,Creep.

Mistakes happen. Things get through QA. When a bug occurs, if it's in a flight control system, you might crash. If it's in a backup system, you might lose data. If it's in a social network, you might block users you didn't mean to, or you might open your data to unwanted eyes.

Unless we're going to start regulating social networks like we do products for some other industries, then, well, there's a reasonable likelihood of this sort of thing happening on a regular basis. If you don't like it, don't share stuff on Facebook.

Regulating social network software might actually be a good idea. Not as in restricting content, but as in requiring certain standards to be met. Like it or not, we live in a connected world where information is shared, collated and mined. Errors in that data are next to impossible to correct because they spread faster than you can correct them. In the absence of data privacy laws, it is essential that the calibre of software be such that inappropriate access is kept to an absolute minimum.

From what I hear from friends who have recently interviewed at Facebook, right now there are apparantly banners hung on the walls in the Facebook offices that say "Don't test, just ship." Every developer has the power to push code to production.

There's considerable space for improvement in quality here before getting to some sort of certification program; for example "a social network should have some QA, more than none" seems like it would be an improvement.

In Europe we have a thing called data protection. Organisations who monger personal information have a legal obligation to protect it. Facebook are not exempt. Social networks are already regulated in the advanced world.

I don't hate America, I've had some lovely holidays there (except for that one time in New York when they blew up the WTC) and some of my best friends are Americans. I do hate America's lack of data protection legislation, dangerous gun laws, propensity to vote oil industry shills into power, desire to market dangerous food to the rest of the world, and one or two other things, but nowhere's perfect. Not a reason not to call out the bad parts when you see em though.

Yes, but I don't think there's a single active social network which was designed from the ground up with privacy in mind. Hell, even the most carefully designed network is only as well controlled as its participants. The moment I share something with you, you can share that with the world. Even if copying and pasting isn't possible, you could take a screen shot of any comments I make and post them anywhere.

I was thinking of designing a p2p social network as a thought exercise. Such a network would re

This particular bug could easily have been prevented by making all object requests pass through a layer that implements some form of mandatory access control. But given this story it's obvious there's no such layer in Facebook, and it's up to the developers to bake uniform security policies into every feature they implement. This is a problem that following the DRY principle would have prevented.

The other day I finally got around to configuring those privacy settings that everyone has been so on about. Facebook sure doesn't make them easy to find.

I was shocked to find that my account granted access to about three dozen apps that I never even heard of. There were only two or three that I signed up for with my own conscious knowledge. I don't have the first clue how I got signed up for all the rest.

That just pissed me off. As I was no longer actually using the two or three apps that I did voluntarily use, I deleted all three dozen from my account.

You may be completely unaware that a whole bunch of private companies that are not affiliated with Facebook have access to your personal data. Even if you want to use a particular Facebook app, you should configure that particular app's privacy settings to grant it access only to the data you voluntarily want it to have. If you are no longer using an app, or don't recall ever requesting the use of it, you should delete it from your account completely.

Here's what you do:

Log in to your Facebook account. (Heh, when I did that just now, I found my account locked. It turned out to be because I had deleted my cookies, not because Facebook caught me spreading the word about how to dump what Facebook considers to be its real customers!)

At the top-right is your username, "Friends", "Home" and a small triangle. Click on the small triangle then select "Privacy Settings".

Click on "Edit Settings" to the right of "Apps and Websites". You may need to scroll down a little bit.

Click on "Edit Settings" to the right of "Apps You Use".

I no longer use any apps so I can't continue from here, but at this point it should be pretty clear what to do.

Some apps really will require access to your details so they can function. If so, be certain that you really want to continue using those apps. Give them the minimum level of access that you really want them to have. Delete all the rest.

The vast majority of old friends that I want to find again don't have the first clue how to use Google.

While I'm pretty good at "Feeling Lucky" myself, the kind of people who don't know how to use Google also tend not to appear anywhere on the Web under their own real names.

One of my very best friends during my Freshman year of high school was a fellow Roman Soldier in Armijo High School's production of Jesus Christ Superstar. I'm handy with tools, so with the help of Ted and the other tool-handy Roman Sol

I think this story is revealing about Facebook's security architecture. One would have hoped that security policies are defined within the application at a very low level and that all requests for information -- be it photos, posts, whatever -- must pass through that low-level security layer. What this story reveals is that the security architecture of Facebook is such that each developer of each separate function (in this case, the report-a-nude-photo function) is responsible for re-implementing security checks.

Please know that on Facebook, whatever your privacy settings are, your photos are only secured by the obscurity of the URL. The Facebook servers that serve static content do so efficiently by doing nothing else. No cookies, no session management, etc. If you happen to know the url of an image (not the facebook url that wraps the image but the actual resource url) you can view it from anywhere whether or not you are logged in.

In addition to that if you have the static URL to the photo it persists after the photo has been deleted as well. I tested this by loading a URL after a photo had been deleted from the profile and voila! Its still there.

This has nothing to do with DNS. When an image is "removed" from Facebook, the image is left on the server. The URL is something like this: http://a3.sphotos.ak.fbcdn.net/ [fbcdn.net] . Using the rest of the url, you can always access the image because they're not changing around which servers are assigned which names.

Inconveniently, tiny networks are dubiously useful for most of the purposes to which people put facebook, network effects and all that.

It's not my cup of tea; but the notion that one could usefully improve one's security by simply replacing facebook with a personally implemented private network is roughly similar to the notion that one can usefully improve one's security by severing one's LAN from the internet.

All the QA in the world won't help if the findings of the QA engineers do not result in defects being acknowledged or fixed. QA in those cases is not a testing group; it's a rubber stamp for which the question "do we ship it" is required to be "yes". This arises either because QA reports to a development manager (i.e. someone whose performance review is based what is released how close to schedule under budget, therefore someone who simultaneously has the motivation and the power to ignore QA findings), or